Lines Matching +full:generate +full:- +full:lockfile
2 american fuzzy lop++ - initialization related routines
3 ------------------------------------------------------
7 Now maintained by Marc Heuse <mh@mh-sec.de>,
12 Copyright 2019-2022 AFLplusplus Project. All rights reserved.
18 https://www.apache.org/licenses/LICENSE-2.0
26 #include "afl-fuzz.h"
44 afl->cpu_aff = cpuid; in bind_cpu()
107 /* Build a list of processes bound to specific cores. Returns -1 if nothing
113 u8 lockfile[PATH_MAX] = ""; local
116 if (afl->afl_env.afl_no_affinity && !afl->afl_env.afl_try_affinity) {
118 if (afl->cpu_to_bind != -1) {
120 FATAL("-b and AFL_NO_AFFINITY are mututally exclusive.");
129 if (afl->cpu_to_bind != -1) {
131 if (!bind_cpu(afl, afl->cpu_to_bind)) {
133 if (afl->afl_env.afl_try_affinity) {
137 "-b.",
138 afl->cpu_to_bind);
144 "-b.",
145 afl->cpu_to_bind);
155 if (afl->cpu_core_count < 2) { return; }
157 if (afl->sync_id) {
161 snprintf(lockfile, sizeof(lockfile), "%s/.affinity_lock", afl->sync_dir);
162 setenv(CPU_AFFINITY_ENV_VAR, lockfile, 1);
166 if ((lockfd = open(lockfile, O_RDWR | O_CREAT | O_EXCL,
194 if (lockfile[0]) unlink(lockfile);
195 WARNF("Unable to access /proc - can't scan for free CPU cores.");
205 all real-world use cases. */
214 if (!isdigit(de->d_name[0])) { continue; }
216 snprintf(fn, PATH_MAX, "/proc/%s/status", de->d_name);
228 if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && !strchr(tmp, '-') &&
255 if (lockfile[0]) unlink(lockfile);
266 if (lockfile[0]) unlink(lockfile);
278 // fix when ki_oncpu = -1
281 if (oncpu == -1) oncpu = procs[i].ki_lastcpu;
283 if (oncpu != -1 && oncpu < (s32)sizeof(cpu_used) && procs[i].ki_pctcpu > 60)
310 if (lockfile[0]) unlink(lockfile);
321 if (lockfile[0]) unlink(lockfile);
352 if (lockfile[0]) unlink(lockfile);
360 if (lockfile[0]) unlink(lockfile);
367 ncpus = n->value.i32;
376 if (lockfile[0]) unlink(lockfile);
398 for (i = 0; i < afl->cpu_core_count; i++) {
405 for (i = afl->cpu_core_count - 1; i > -1; i--) {
416 if (afl->fsrv.nyx_mode) { afl->fsrv.nyx_bind_cpu_id = i; }
427 if (lockfile[0]) unlink(lockfile);
429 if (i == afl->cpu_core_count || i == -1) {
431 SAYF("\n" cLRD "[-] " cRST
432 "Uh-oh, looks like all %d CPU cores on your system are allocated to\n"
433 " other instances of afl-fuzz (or similar CPU-locked tasks). "
437 afl->cpu_core_count,
438 afl->afl_env.afl_try_affinity ? ""
442 if (!afl->afl_env.afl_try_affinity) { FATAL("No more free CPU cores"); }
456 for (i = 0; i < cnt - 2; ++i) {
458 u32 j = i + rand_below(afl, cnt - i);
473 if (!afl->foreign_sync_cnt) return;
482 for (iter = 0; iter < afl->foreign_sync_cnt; iter++) {
484 if (afl->foreign_syncs[iter].dir && afl->foreign_syncs[iter].dir[0]) {
486 if (first) ACTF("Scanning '%s'...", afl->foreign_syncs[iter].dir);
489 u8 *name = strrchr(afl->foreign_syncs[iter].dir, '/');
492 name = afl->foreign_syncs[iter].dir;
514 nl_cnt = scandir(afl->foreign_syncs[iter].dir, &nl, NULL, NULL);
520 WARNF("Unable to open directory '%s'", afl->foreign_syncs[iter].dir);
534 afl->foreign_syncs[iter].dir);
544 snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "foreign sync %u", iter);
546 afl->stage_name = afl->stage_name_buf;
547 afl->stage_cur = 0;
548 afl->stage_max = 0;
555 alloc_printf("%s/%s", afl->foreign_syncs[iter].dir, nl[i]->d_name);
567 if (likely(st.st_mtime <= afl->foreign_syncs[iter].mtime)) {
621 fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
622 afl->syncing_party = foreign_name;
623 afl->queued_imported += save_if_interesting(afl, mem, len, fault);
624 afl->syncing_party = 0;
632 afl->foreign_syncs[iter].mtime = mtime_max;
641 afl->last_find_time = 0;
642 afl->queued_at_start = afl->queued_items;
659 /* Auto-detect non-in-place resumption attempts. */
663 fn1 = alloc_printf("%s/queue", afl->in_dir);
666 afl->in_dir = fn1;
675 dir = afl->in_dir;
691 SAYF("\n" cLRD "[-] " cRST
692 "The input directory does not seem to be valid - try again. The "
694 " one or more test case to start with - ideally, a small file "
706 if (unlikely(afl->old_seed_selection && afl->shuffle_queue && nl_cnt > 1)) {
718 --i;
722 snprintf(dfn, PATH_MAX, "%s/.state/deterministic_done/%s", afl->in_dir,
723 nl[i]->d_name);
724 u8 *fn2 = alloc_printf("%s/%s", dir, nl[i]->d_name);
737 if (subdirs && S_ISDIR(st.st_mode) && nl[i]->d_name[0] != '.') {
767 and probably very time-consuming. */
774 if (unlikely(afl->shm.cmplog_mode)) {
776 if (afl->cmplog_lvl == 1) {
778 if (!afl->cmplog_max_filesize ||
779 afl->cmplog_max_filesize < st.st_size) {
781 afl->cmplog_max_filesize = st.st_size;
785 } else if (afl->cmplog_lvl == 2) {
787 if (!afl->cmplog_max_filesize ||
788 afl->cmplog_max_filesize > st.st_size) {
790 afl->cmplog_max_filesize = st.st_size;
799 if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
801 u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size,
802 HASH_CONST); afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
803 afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
815 if (!afl->queued_items && directory == NULL) {
817 SAYF("\n" cLRD "[-] " cRST
820 " needs one or more test case to start with - ideally, a small "
826 FATAL("No usable test cases in '%s'", afl->in_dir);
830 if (unlikely(afl->shm.cmplog_mode)) {
832 if (afl->cmplog_max_filesize < 1024) {
834 afl->cmplog_max_filesize = 1024;
838 afl->cmplog_max_filesize = (((afl->cmplog_max_filesize >> 10) + 1) << 10);
844 afl->last_find_time = 0;
845 afl->queued_at_start = afl->queued_items;
858 for (idx = 0; idx < afl->queued_items; idx++) {
860 q = afl->queue_buf[idx];
861 if (unlikely(!q || q->disabled)) { continue; }
866 if (unlikely(!q->len)) {
868 WARNF("Skipping 0-sized entry in queue (%s)", q->fname);
873 if (afl->afl_env.afl_cmplog_only_new) { q->colorized = CMPLOG_LVL_MAX; }
875 u8 *fn = strrchr(q->fname, '/') + 1;
879 fd = open(q->fname, O_RDONLY);
880 if (fd < 0) { PFATAL("Unable to open '%s'", q->fname); }
882 u32 read_len = MIN(q->len, (u32)MAX_FILE);
884 ck_read(fd, use_mem, read_len, q->fname);
890 if (afl->stop_soon) { return; }
892 if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) {
895 q->len, q->bitmap_size, q->exec_us);
903 if (afl->crash_mode) { FATAL("Test case '%s' does *NOT* crash", fn); }
909 if (afl->timeout_given && !afl->afl_env.afl_exit_on_seed_issues) {
915 q->cal_failed = CAL_CHANCES;
916 q->disabled = 1;
917 q->perf_score = 0;
919 if (!q->was_fuzzed) {
921 q->was_fuzzed = 1;
922 --afl->pending_not_fuzzed;
923 --afl->active_items;
931 SAYF("\n" cLRD "[-] " cRST
934 " This is bad news; raising the limit with the -t option is "
941 afl->fsrv.exec_tmout);
949 if (afl->crash_mode) { break; }
951 if (afl->fsrv.mem_limit) {
955 SAYF("\n" cLRD "[-] " cRST
960 " - The test case causes known crashes under normal working "
964 " inputs - but not ones that cause an outright crash.\n\n"
966 " - The current memory limit (%s) is too low for this "
970 " bumping it up with the -m setting in the command line. "
980 " if you are using ASAN, set '-m 0'.\n\n"
982 " - In QEMU persistent mode the selected address(es) for the "
990 " - Least likely, there is a horrible bug in the fuzzer. If "
992 " fail, poke <afl-users@googlegroups.com> for "
995 afl->fsrv.mem_limit << 20),
996 afl->fsrv.mem_limit - 1);
1000 SAYF("\n" cLRD "[-] " cRST
1005 " - The test case causes known crashes under normal working "
1009 " inputs - but not ones that cause an outright crash.\n\n"
1011 " - In QEMU persistent mode the selected address(es) for the "
1019 " - Least likely, there is a horrible bug in the fuzzer. If "
1021 " fail, poke <afl-users@googlegroups.com> for "
1029 if (afl->fsrv.uses_crash_exitcode) {
1034 fn, (int)(s8)afl->fsrv.crash_exitcode);
1042 if (afl->afl_env.afl_exit_on_seed_issues) {
1044 FATAL("As AFL_EXIT_ON_SEED_ISSUES is set, afl-fuzz exits.");
1050 if (!q->was_fuzzed) {
1052 q->was_fuzzed = 1;
1053 --afl->pending_not_fuzzed;
1054 --afl->active_items;
1058 q->disabled = 1;
1059 q->perf_score = 0;
1062 while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
1063 afl->queue_buf[i]->disabled)) {
1069 if (i < afl->queued_items && afl->queue_buf[i]) {
1071 afl->queue = afl->queue_buf[i];
1075 afl->queue = afl->queue_buf[0];
1079 afl->max_depth = 0;
1080 for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
1082 if (!afl->queue_buf[i]->disabled &&
1083 afl->queue_buf[i]->depth > afl->max_depth)
1084 afl->max_depth = afl->queue_buf[i]->depth;
1092 FATAL("Unable to execute target application ('%s')", afl->argv[0]);
1096 if (afl->fsrv.nyx_mode && afl->fsrv.nyx_runner != NULL) {
1098 afl->fsrv.nyx_handlers->nyx_shutdown(afl->fsrv.nyx_runner);
1107 ++afl->useless_at_start;
1109 if (!afl->in_bitmap && !afl->shuffle_queue) {
1119 if (q->var_behavior) {
1129 if (cal_failures == afl->queued_items) {
1136 cal_failures, ((double)cal_failures) * 100 / afl->queued_items);
1138 if (cal_failures * 5 > afl->queued_items) {
1150 for (idx = 0; idx < afl->queued_items; idx++) {
1152 q = afl->queue_buf[idx];
1153 if (!q || q->disabled || q->cal_failed || !q->exec_cksum) { continue; }
1157 i < afl->queued_items && !done && likely(afl->queue_buf[i]); i++) {
1159 struct queue_entry *p = afl->queue_buf[i];
1160 if (p->disabled || p->cal_failed || !p->exec_cksum) { continue; }
1162 if (p->exec_cksum == q->exec_cksum) {
1167 if (p->len >= q->len) {
1169 if (!p->was_fuzzed) {
1171 p->was_fuzzed = 1;
1172 --afl->pending_not_fuzzed;
1173 --afl->active_items;
1177 p->disabled = 1;
1178 p->perf_score = 0;
1182 if (!q->was_fuzzed) {
1184 q->was_fuzzed = 1;
1185 --afl->pending_not_fuzzed;
1186 --afl->active_items;
1190 q->disabled = 1;
1191 q->perf_score = 0;
1205 afl->max_depth = 0;
1207 for (idx = 0; idx < afl->queued_items; idx++) {
1209 if (afl->queue_buf[idx] && !afl->queue_buf[idx]->disabled &&
1210 afl->queue_buf[idx]->depth > afl->max_depth)
1211 afl->max_depth = afl->queue_buf[idx]->depth;
1215 afl->queue_top = afl->queue;
1265 for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
1267 q = afl->queue_buf[i];
1269 if (unlikely(q->disabled)) { continue; }
1271 u8 *nfn, *rsl = strrchr(q->fname, '/');
1276 rsl = q->fname;
1294 afl->resuming_fuzz = 1;
1295 nfn = alloc_printf("%s/queue/%s", afl->out_dir, rsl);
1304 if (src_id < afl->queued_items) {
1306 struct queue_entry *s = afl->queue_buf[src_id];
1308 if (s) { q->depth = s->depth + 1; }
1312 if (afl->max_depth < q->depth) { afl->max_depth = q->depth; }
1318 /* No dice - invent a new name, capturing the original one as a
1336 afl->out_dir, id, afl->fsrv.total_execs, use_name);
1340 nfn = alloc_printf("%s/queue/id_%06u", afl->out_dir, id);
1348 link_or_copy(q->fname, nfn);
1349 ck_free(q->fname);
1350 q->fname = nfn;
1354 if (q->passed_det) { mark_as_det_done(afl, q); }
1356 if (afl->custom_mutators_count) {
1358 run_afl_custom_queue_new_entry(afl, q, q->fname, NULL);
1366 if (afl->in_place_resume) { nuke_resume_dir(afl); }
1381 if (!afl->resuming_fuzz) { return 0; }
1383 if (afl->in_place_resume) {
1385 fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1389 fn = alloc_printf("%s/../fuzzer_stats", afl->in_dir);
1398 i = read(fd, tmp, sizeof(tmp) - 1);
1406 if (ret >= afl->queued_items) { ret = 0; }
1412 -t given, we don't want to keep auto-scaling the timeout over and over
1423 if (!afl->resuming_fuzz) { return; }
1425 if (afl->in_place_resume) {
1427 fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1431 fn = alloc_printf("%s/../fuzzer_stats", afl->in_dir);
1440 i = read(fd, tmp, sizeof(tmp) - 1);
1450 afl->fsrv.exec_tmout = ret;
1451 afl->timeout_given = 3;
1469 if (d_ent->d_name[0] != '.' &&
1470 (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) {
1472 u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name);
1496 number of runnable processes; the 1-minute load average can be a
1497 semi-decent approximation, though. */
1504 computed in funny ways and sometimes don't reflect extremely short-lived
1532 res = res * (1.0 - 1.0 / AVG_SMOOTHING) +
1543 /* Delete the temporary directory used for in-place session resume. */
1549 fn = alloc_printf("%s/_resume/.state/deterministic_done", afl->out_dir);
1553 fn = alloc_printf("%s/_resume/.state/auto_extras", afl->out_dir);
1557 fn = alloc_printf("%s/_resume/.state/redundant_edges", afl->out_dir);
1561 fn = alloc_printf("%s/_resume/.state/variable_behavior", afl->out_dir);
1565 fn = alloc_printf("%s/_resume/.state", afl->out_dir);
1569 fn = alloc_printf("%s/_resume", afl->out_dir);
1583 Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */
1588 u8 * fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1594 afl->fsrv.out_dir_fd = open(afl->out_dir, O_RDONLY);
1595 if (afl->fsrv.out_dir_fd < 0) { PFATAL("Unable to open '%s'", afl->out_dir); }
1599 if (flock(afl->fsrv.out_dir_fd, LOCK_EX | LOCK_NB) && errno == EWOULDBLOCK) {
1601 SAYF("\n" cLRD "[-] " cRST
1604 " instance of afl-fuzz. You will need to choose a different %s\n"
1606 afl->sync_id ? "fuzzer ID" : "output location");
1608 FATAL("Directory '%s' is in use", afl->out_dir);
1634 if (!afl->in_place_resume && afl->autoresume) {
1637 afl->in_place_resume = 1;
1643 if (!afl->in_place_resume && last_update > start_time2 &&
1644 last_update - start_time2 > OUTPUT_GRACE * 60) {
1646 SAYF("\n" cLRD "[-] " cRST
1649 " than %d minutes worth of fuzzing. To avoid data loss, afl-fuzz "
1657 " session, pass '-' as input directory in the command line ('-i "
1658 "-')\n"
1662 FATAL("At-risk data found in '%s'", afl->out_dir);
1670 /* The idea for in-place resume is pretty simple: we temporarily move the old
1676 if (afl->in_place_resume) {
1678 u8 *orig_q = alloc_printf("%s/queue", afl->out_dir);
1680 afl->in_dir = alloc_printf("%s/_resume", afl->out_dir);
1682 rename(orig_q, afl->in_dir); /* Ignore errors */
1697 in <afl->out_dir>/.synced/.../id:*, if any are present. */
1699 if (!afl->in_place_resume) {
1701 fn = alloc_printf("%s/.synced", afl->out_dir);
1707 /* Next, we need to clean up <afl->out_dir>/queue/.state/ subdirectories: */
1709 fn = alloc_printf("%s/queue/.state/deterministic_done", afl->out_dir);
1713 fn = alloc_printf("%s/queue/.state/auto_extras", afl->out_dir);
1717 fn = alloc_printf("%s/queue/.state/redundant_edges", afl->out_dir);
1721 fn = alloc_printf("%s/queue/.state/variable_behavior", afl->out_dir);
1726 and everything matching <afl->out_dir>/queue/id:*. */
1728 fn = alloc_printf("%s/queue/.state", afl->out_dir);
1732 fn = alloc_printf("%s/queue", afl->out_dir);
1736 /* All right, let's do <afl->out_dir>/crashes/id:* and
1737 * <afl->out_dir>/hangs/id:*. */
1739 if (!afl->in_place_resume) {
1741 fn = alloc_printf("%s/crashes/README.txt", afl->out_dir);
1747 fn = alloc_printf("%s/crashes", afl->out_dir);
1750 doing in-place resume. */
1752 if (afl->in_place_resume && rmdir(fn)) {
1761 alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t.tm_year + 1900,
1780 fn = alloc_printf("%s/hangs", afl->out_dir);
1784 if (afl->in_place_resume && rmdir(fn)) {
1793 alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t.tm_year + 1900,
1814 if (afl->file_extension) {
1816 fn = alloc_printf("%s/.cur_input.%s", afl->tmp_dir, afl->file_extension);
1820 fn = alloc_printf("%s/.cur_input", afl->tmp_dir);
1827 fn = alloc_printf("%s/fuzz_bitmap", afl->out_dir);
1831 if (!afl->in_place_resume) {
1833 fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
1839 if (!afl->in_place_resume) {
1841 fn = alloc_printf("%s/plot_data", afl->out_dir);
1847 fn = alloc_printf("%s/cmdline", afl->out_dir);
1859 SAYF("\n" cLRD "[-] " cRST
1862 " some files that shouldn't be there or that couldn't be removed - "
1876 /* If this is a -S secondary node, ensure a -M main node is running,
1885 sd = opendir(afl->sync_dir);
1892 if (sd_ent->d_name[0] == '.' || !strcmp(afl->sync_id, sd_ent->d_name)) {
1898 fn = alloc_printf("%s/%s/is_main_node", afl->sync_dir, sd_ent->d_name);
1917 if (afl->sync_id && mkdir(afl->sync_dir, 0700) && errno != EEXIST) {
1919 PFATAL("Unable to create '%s'", afl->sync_dir);
1923 if (mkdir(afl->out_dir, 0700)) {
1925 if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); }
1931 if (afl->in_place_resume) {
1937 afl->fsrv.out_dir_fd = open(afl->out_dir, O_RDONLY);
1941 if (afl->fsrv.out_dir_fd < 0 ||
1942 flock(afl->fsrv.out_dir_fd, LOCK_EX | LOCK_NB)) {
1952 if (afl->is_main_node) {
1954 u8 *x = alloc_printf("%s/is_main_node", afl->out_dir);
1964 tmp = alloc_printf("%s/queue", afl->out_dir);
1968 /* Top-level directory for queue metadata used for session
1971 tmp = alloc_printf("%s/queue/.state/", afl->out_dir);
1978 tmp = alloc_printf("%s/queue/.state/deterministic_done/", afl->out_dir);
1982 /* Directory with the auto-selected dictionary entries. */
1984 tmp = alloc_printf("%s/queue/.state/auto_extras/", afl->out_dir);
1990 tmp = alloc_printf("%s/queue/.state/redundant_edges/", afl->out_dir);
1996 tmp = alloc_printf("%s/queue/.state/variable_behavior/", afl->out_dir);
2002 if (afl->sync_id) {
2004 tmp = alloc_printf("%s/.synced/", afl->out_dir);
2006 if (mkdir(tmp, 0700) && (!afl->in_place_resume || errno != EEXIST)) {
2018 tmp = alloc_printf("%s/crashes", afl->out_dir);
2024 tmp = alloc_printf("%s/hangs", afl->out_dir);
2030 afl->fsrv.dev_null_fd = open("/dev/null", O_RDWR);
2031 if (afl->fsrv.dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }
2033 afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY);
2034 if (afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); }
2038 tmp = alloc_printf("%s/plot_data", afl->out_dir);
2040 if (!afl->in_place_resume) {
2046 afl->fsrv.plot_file = fdopen(fd, "w");
2047 if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
2050 afl->fsrv.plot_file,
2061 afl->fsrv.plot_file = fdopen(fd, "w");
2062 if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
2064 fseek(afl->fsrv.plot_file, 0, SEEK_END);
2068 fflush(afl->fsrv.plot_file);
2083 tmp = alloc_printf("%s/cmdline", afl->out_dir);
2102 /* Setup the output file for fuzzed data, if not using -f. */
2106 if (afl->file_extension) {
2108 afl->fsrv.out_file =
2109 alloc_printf("%s/.cur_input.%s", afl->tmp_dir, afl->file_extension);
2113 afl->fsrv.out_file = alloc_printf("%s/.cur_input", afl->tmp_dir);
2117 unlink(afl->fsrv.out_file); /* Ignore errors */
2119 afl->fsrv.out_fd =
2120 open(afl->fsrv.out_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
2122 if (afl->fsrv.out_fd < 0) {
2124 PFATAL("Unable to create '%s'", afl->fsrv.out_file);
2143 if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return;
2146 "\n" cLRD "[-] " cRST
2157 " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n"
2158 " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n");
2179 "\n" cLRD "[-] " cRST
2218 if (afl->afl_env.afl_skip_cpufreq) { return; }
2220 if (afl->cpu_aff > 0) {
2223 afl->cpu_aff, "/cpufreq/scaling_governor");
2235 if (afl->cpu_aff > 0) {
2238 "/sys/devices/system/cpu/cpufreq/policy", afl->cpu_aff,
2287 SAYF("\n" cLRD "[-] " cRST
2288 "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n"
2291 " kernel is imperfect and can miss the short-lived processes spawned "
2293 " afl-fuzz. To keep things moving, run these commands as root:\n\n"
2302 " set AFL_SKIP_CPUFREQ to make afl-fuzz skip this check - but expect "
2311 if (afl->afl_env.afl_skip_cpufreq) return;
2315 if (sysctlbyname("hw.cpufrequency_min", &min, &mlen, NULL, 0) == -1) {
2322 if (sysctlbyname("hw.cpufrequency_max", &max, &mlen, NULL, 0) == -1) {
2331 SAYF("\n" cLRD "[-] " cRST
2332 "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n"
2336 " to make afl-fuzz skip this check - but expect some performance "
2353 size_t s = sizeof(afl->cpu_core_count);
2359 if (sysctlbyname("hw.logicalcpu", &afl->cpu_core_count, &s, NULL, 0) < 0)
2366 if (sysctl(s_name, 2, &afl->cpu_core_count, &s, NULL, 0) < 0) return;
2374 afl->cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN);
2384 if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) ++afl->cpu_core_count;
2392 if (afl->cpu_core_count > 0) {
2401 /* Add ourselves, since the 1-minute average doesn't include that yet. */
2408 afl->cpu_core_count, afl->cpu_core_count > 1 ? "s" : "", cur_runnable,
2409 cur_runnable * 100.0 / afl->cpu_core_count);
2411 if (afl->cpu_core_count > 1) {
2413 if (cur_runnable > afl->cpu_core_count * 1.5) {
2417 } else if ((s64)cur_runnable + 1 <= (s64)afl->cpu_core_count) {
2419 OKF("Try parallel jobs - see %s/parallel_fuzzing.md.", doc_path);
2427 afl->cpu_core_count = 0;
2434 /* Validate and fix up afl->out_dir and sync_dir when using -S. */
2438 u8 *x = afl->sync_id;
2442 if (!isalnum(*x) && *x != '_' && *x != '-') {
2444 FATAL("Non-alphanumeric fuzzer ID specified via -S or -M");
2452 if (strlen(afl->sync_id) > 32) { FATAL("Fuzzer ID too long"); }
2454 x = alloc_printf("%s/%s", afl->out_dir, afl->sync_id);
2457 if (afl->fsrv.nyx_mode) { afl->fsrv.out_dir_path = afl->out_dir; }
2459 afl->sync_dir = afl->out_dir;
2460 afl->out_dir = x;
2485 FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
2490 if (!afl->debug && !strstr(x, "symbolize=0")) {
2492 FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");
2507 MSAN_ERROR) " - please fix!");
2511 if (!afl->debug && !strstr(x, "symbolize=0")) {
2513 FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");
2525 FATAL("Custom LSAN_OPTIONS set without symbolize=0 - please fix!");
2533 /* Handle stop signal (Ctrl-C, etc). */
2555 afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
2557 // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
2558 u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
2559 afl->shm_fuzz->shmemfuzz_mode = 1;
2564 setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
2566 u8 *shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id);
2570 afl->fsrv.support_shmem_fuzz = 1;
2571 afl->fsrv.shmem_fuzz_len = (u32 *)map;
2572 afl->fsrv.shmem_fuzz = map + sizeof(u32);
2577 isn't a shell script - a common and painful mistake. We also check for
2595 afl->fsrv.target_path = ck_strdup(fname);
2597 if (afl->fsrv.nyx_mode) {
2600 if (stat(afl->fsrv.target_path, &st) || S_ISDIR(st.st_mode)) {
2602 char *tmp = alloc_printf("%s/config.ron", afl->fsrv.target_path);
2613 afl->fsrv.target_path);
2618 if (stat(afl->fsrv.target_path, &st) || !S_ISREG(st.st_mode) ||
2633 cur_elem = ck_alloc(delim - env_path + 1);
2635 memcpy(cur_elem, env_path, delim - env_path);
2648 afl->fsrv.target_path = alloc_printf("%s/%s", cur_elem, fname);
2652 afl->fsrv.target_path = ck_strdup(fname);
2658 if (!stat(afl->fsrv.target_path, &st) && S_ISREG(st.st_mode) &&
2665 ck_free(afl->fsrv.target_path);
2666 afl->fsrv.target_path = 0;
2670 if (!afl->fsrv.target_path) {
2678 if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode ||
2679 (afl->fsrv.qemu_mode && getenv("AFL_QEMU_CUSTOM_BIN")) ||
2680 (afl->fsrv.cs_mode && getenv("AFL_CS_CUSTOM_BIN")) ||
2681 afl->non_instrumented_mode) {
2689 /* disabled. not a real-worl scenario where this is a problem.
2690 if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) &&
2691 !strchr(afl->fsrv.target_path + 5, '/')) ||
2692 (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) &&
2693 !strchr(afl->fsrv.target_path + 9, '/'))) {
2701 fd = open(afl->fsrv.target_path, O_RDONLY);
2703 if (fd < 0) { PFATAL("Unable to open '%s'", afl->fsrv.target_path); }
2709 PFATAL("Unable to mmap file '%s'", afl->fsrv.target_path);
2717 SAYF("\n" cLRD "[-] " cRST
2720 " sometimes generate shell stubs for dynamically linked programs; "
2722 " library mode (./configure --disable-shared) if that's the "
2733 FATAL("Program '%s' is a shell script", afl->fsrv.target_path);
2741 FATAL("Program '%s' is not an ELF binary", afl->fsrv.target_path);
2750 FATAL("Program '%s' is not a 64-bit or universal Mach-O binary",
2751 afl->fsrv.target_path);
2756 if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->unicorn_mode &&
2758 !afl->fsrv.nyx_mode &&
2760 !afl->fsrv.cs_mode && !afl->non_instrumented_mode &&
2763 SAYF("\n" cLRD "[-] " cRST
2766 " compile-time instrumentation to isolate interesting test cases "
2781 " (It is also possible to use afl-fuzz as a traditional, "
2782 "non-instrumented\n"
2783 " fuzzer. For that use the -n option - but expect much worse "
2791 if ((afl->fsrv.cs_mode || afl->fsrv.qemu_mode || afl->fsrv.frida_mode) &&
2794 SAYF("\n" cLRD "[-] " cRST
2795 "This program appears to be instrumented with afl-gcc, but is being "
2797 " QEMU mode (-Q). This is probably not what you "
2798 "want -\n"
2801 FATAL("Instrumentation found in -Q mode");
2809 afl->fsrv.uses_asan = 1;
2819 afl->persistent_mode = 1;
2820 afl->fsrv.persistent_mode = 1;
2821 afl->shmem_testcase_mode = 1;
2827 afl->persistent_mode = 1;
2828 afl->fsrv.persistent_mode = 1;
2829 afl->shmem_testcase_mode = 1;
2835 afl->persistent_mode = 1;
2836 afl->fsrv.persistent_mode = 1;
2837 afl->shmem_testcase_mode = 1;
2841 if (afl->fsrv.frida_mode ||
2846 afl->deferred_mode = 1;
2852 afl->deferred_mode = 1;
2866 if (afl->afl_env.afl_no_ui) {
2869 afl->not_on_tty = 1;
2880 afl->not_on_tty = 1;
2942 buf = afl->orig_cmdline = ck_alloc(len);
2953 if (i != argc - 1) { *(buf++) = ' '; }